feat(auth): Kratos-only dashboard (drop Auth.js), same-origin + preview-capable#427
Draft
huv1k wants to merge 1 commit into
Draft
feat(auth): Kratos-only dashboard (drop Auth.js), same-origin + preview-capable#427huv1k wants to merge 1 commit into
huv1k wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This was referenced Jun 17, 2026
huv1k
added a commit
that referenced
this pull request
Jun 17, 2026
Re-applies PR #427's Kratos-only auth on top of current main, which had moved to the @ory/nextjs same-origin Elements flow (pages, SDK proxy, config) but still managed sessions through Auth.js. This removes Auth.js entirely: - Read the session via @ory/nextjs getServerSession() and mint the backend Hydra access token server-side from the Kratos session (silent grant); no user-facing OAuth2 bounce (preview-friendly). - Proxy auth gate checks a real Kratos session via /sessions/whoami instead of the Auth.js middleware; the Ory SDK proxy always runs (drop NEXT_PUBLIC_ORY_CUSTOM_UI gate). - Logout uses the Kratos self-service logout flow (getLogoutFlow). - tRPC no longer threads an Auth.js session through context. - Legacy /sign-in, /sign-up, /forgot-password redirect to the same-origin Kratos flow pages (/login, /registration, /recovery). - Remove src/auth.ts, next-auth.d.ts, all authjs-*/oauth/* machinery, the next-auth dependency, and AUTH_SECRET/AUTH_TRUST_HOST/AUTH_COOKIE_PREFIX env vars; add ORY_OAUTH2_REDIRECT_URI for the silent-grant redirect_uri. Tests updated/removed for dropped Auth.js paths; build, biome check, and the unit + integration suites pass.
huv1k
force-pushed
the
huv1k/kratos-only-auth
branch
from
83afe4c to
e23fc30
Compare
huv1k
force-pushed
the
huv1k/kratos-only-auth
branch
from
d963710 to
1b6fc9b
Compare
Make Kratos the only auth path and remove Auth.js (NextAuth). main already shipped the @ory/nextjs same-origin Elements UI behind a flag but still managed sessions via Auth.js; this completes the migration: - Sessions via getServerSession() (Kratos whoami); the backend Hydra JWT is minted server-side from the session (silent grant), no user-facing redirect. - Middleware auth gate uses an edge-safe whoami; tRPC no longer threads an Auth.js session through context. - Legacy /sign-in, /sign-up, /forgot-password redirect to the same-origin /login, /registration, /recovery pages; the custom-UI flag gate is removed. - Logout via Kratos getLogoutFlow(). - Cache the minted backend token across requests, keyed by the validated Kratos session id (+ subject) and reused until just before expiry; the live session is always re-validated first and tokens stay server-only. Removes src/auth.ts, next-auth.d.ts, the authjs-*/oauth* helpers and routes, the next-auth dependency, and the AUTH_SECRET/AUTH_TRUST_HOST/AUTH_COOKIE_PREFIX/ NEXT_PUBLIC_ORY_CUSTOM_UI env vars; adds ORY_OAUTH2_REDIRECT_URI.
huv1k
force-pushed
the
huv1k/kratos-only-auth
branch
from
1b6fc9b to
c6210f3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes the dashboard Kratos-only and removes Auth.js (NextAuth).
mainalready shipped the@ory/nextjssame-origin Elements UI (/login,/registration,/recovery,/verification+ SDK proxy) behind a flag, but sessions were still managed by Auth.js. This finishes the migration. The backend contract is unchanged — a Hydra JWT is still sent asAuthorization: Bearer, now minted server-side.Key changes
getServerSession()(Kratos whoami) replaces the Auth.js JWT; the middleware gate uses an edge-safe whoami; tRPC no longer threads an Auth.js session through context./sign-in,/sign-up,/forgot-passwordredirect to the same-origin flow pages.getLogoutFlow().src/auth.ts,next-auth.d.ts, theauthjs-*/oauth*helpers and routes, thenext-authdependency.Env
ORY_OAUTH2_REDIRECT_URI(optional; defaults tohttps://${NEXT_PUBLIC_E2B_DOMAIN}/api/auth/oauth/callback/ory).AUTH_SECRET,AUTH_TRUST_HOST,AUTH_COOKIE_PREFIX,NEXT_PUBLIC_ORY_CUSTOM_UI.NEXT_PUBLIC_ORY_SDK_URL— Kratos public URL (=ORY_SDK_URLon Ory Network).Because the custom-UI gate is gone, the
enable_custom_auth_uiterraform toggle no longer gates dashboard auth.Verification
build,lint,biome check, and the full unit + integration suite pass (incl. backend-token cache tests). Runtime auth needs preview verification against live Ory (Preview Tests job + SDK-URL env vars).Follow-ups (not in this PR)
skip_consent(Ory config, no code change)./settingsflow page yet (account settings use admin APIs at/dashboard/account).